Analysis of Error Impact for Batch Handover Authentication Protocols in Mobile Wireless Networks

,


I. INTRODUCTION
Advancement in mobile communication technologies such as 5G has entailed a dramatic improvement in the speed of wireless communication networks [1]. A mobile wireless network (MWN) [2], as shown in Fig. 1, is composed of an authentication server (AS) that is a major entity, a number of access points (APs) that are connected to the AS, and a number of mobile nodes (MNs) that are connected to an AP. An MN first registers its own real identity to the AS, and then a pseudo-identity is issued from the AS. Thereafter, the MN connects to the AS using the pseudo-identity. In order for an MN to be connected to the AS, it should be verified as a legitimate user by a nearby AP. The AP verifies the validity The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava . of the MN and allows only authorized MNs to connect to the AS. Handover authentication protocol provides seamless roaming securely when an MN is moving from the currently connected AP to another AP.
This protocol has to preserve privacy and guarantee user anonymity and untraceability. In addition, it should provide not only subscription validation between an AP and a MN, but also mutual authentication and session key agreement [3]. Because the wireless communication environment is vulnerable to security breaches, it should have resistance to all known attacks [4]. Therefore, the handover authentication protocol should be efficient while guaranteeing security by using cryptographic technology. To accomplish this, many protocols have been proposed over the past few decades [5]- [9]. However, most of them are insecure or inefficient. PairHand, proposed by He et al. [10], is a handover authentication protocol that uses identity-based public key cryptography (ID-based PKC) based on bilinear pairing. It provides privacy preservation and user anonymity and minimizes communication and computation overhead.
PairHand guarantees appropriate security levels with minimum signature length by utilizing elliptic curve cryptography (ECC). Moreover, it minimizes handshakes between server and client, thereby improving the efficiency dramatically compared to other handover authentication protocols [5]- [7]. It also provides not only the individual authentication that validates messages individually but also the batch authentication [11]- [14] that validates multiple messages all together in order to decrease the burden on an AP that handles lots of handover requests.
He et al. [10], however, pointed out that their protocol suffers from the key compromised problem [15]. Also, they proposed a simple improved protocol. But, Yeo et al. [16] proved that the protocol proposed by He et al. [15] still suffers from the key compromised problem and is therefore insecure. Subsequently, He et al. [17], Wang and Hu [18], and Tsai et al. [19] proposed improved protocols in which security features are supplemented by inserting random numbers into request messages. The protocols proposed by them are pairing-based handover authentication protocols that use bilinear pairing on both the AP and MN side. However, they have a problem in that a burden can be imposed on an MN with limited resources because the protocol uses heavy bilinear pairing operations and map-to-point operations [4]. Since then, Islam and Khan [4], Wang et al. [20], and Chaudhry et al. [21] have proposed pairing-free handover authentication protocols that do not use bilinear pairing during on the authentication process. And He et al. [22] have analyzed the communication cost and security of various protocols proposed thus far to seek further enhancement.
However, previous studies [23]- [31] have not considered errors that may occur in the wireless communication channels between APs and MNs. Since multiple signals share the same propagation medium over the wireless communication channel, severe interference occurs between the various signals. As a result, errors are more likely to occur in a wireless communication channel than in a wired communication channel [32]. If errors occur frequently due to the geographic environment at a specific position in the MWN or an attacker takes part in the community of MNs and inserts errors into the verification message continuously [21], verification failures of APs will occur frequently. This means that the burden of message verification on the APs becomes heavier. For example, AP2 in Fig. 1 receives handover request messages from several MNs. Individual verification of these request messages does not affect the authentication of the remaining non-error messages even if some messages have errors. On the other hand, in a batch verification, an error in one message affects the verification of messages that have no errors because the error causes a verification failure for the entire (batched) message. This means that a batch verification requires additional operations if there is a high probability of errors in the handover request messages. When the probability of errors is over a certain level, the delay in batch verification may exceed the sum of delays for individual verifications because of frequently occurring errors.
Until now, the proposed handover authentication protocols have focused only on security and efficiency, so there has been no prior investigation of the impact of errors on computation cost. In this study, we aim to analyze the performance of batch verification through an analysis of computation costs in the presence of errors that are likely to occur in wireless channels. To this end, we measure the processing times of the He et al. [10]'s protocol and derive the individual verification delay as a function of the processing time and graph it. And we derive the batch verification delay as a function of the bit error probability and graph it. As the bit error probability increases, the individual verification delay remains unchanged, but the batch verification delay increases. Next, we find the point which the intersection of batch verification graph and individual verification graph meet. Also, we evaluate the communication and computation cost of the handover authentication protocols previously proposed.
From the comparison, we find that the point at which the intersection of batch verification graph and individual verification graph appears varies by protocol. In the case where the intersection is formed when the error probability is relatively low, the delay increase is large even if the error probability is slightly increased. On the other hand, protocols for which intersections are formed when the error probability is high have a small increase in delay. This comparison shows that the lower the communication cost and the faster the batch verification is compared to the individual verification, the less influenced the protocol is by error rate. In other words, both communication cost and computation cost should be minimized in order to minimize the influence of errors in batch verification. We propose a mini-batch verification method to reduce the impact of errors based on these analysis results. We also demonstrate that the application of this method to previous studies [4], [10], [17], [18], [20] can mitigate the impact of errors.
• We investigate batch verification through formulas and simulations and find that the batch verification delay can exceed the individual verification delay owing to the impact of errors.
• We propose a mini-batch method to mitigate the impact of errors in batch verification and demonstrate its applicability to previously proposed protocols. The rest of this paper is organized as follows. Section II reviews the protocol proposed by He et al. [10] that provides preliminary knowledge for a better understanding of this study. A method for estimating the computation cost of verification methods is analyzed in Section III. Section IV evaluates and compares the computation cost and communication cost of the protocols previously proposed. In Section V, a mini-batch verification method is proposed to mitigate error impact based on the analysis results presented in Sections III and IV. The conclusions are summarized in Section VI.

A. ELLIPTIC CURVE AND BILINEAR MAPS
When p is a large prime number, E F p is a point on an elliptic curve that is defined as y 2 mod q = x 3 + ax + b mod q (a, ∈ F p ) in the finite field F p . All points on E F p including the point at infinite O form a cyclic additive group G. Assuming that P (x 1 , y 1 ) and Q (x 2 , y 2 ) are points on E F p , and R (x 3 , y 3 ) is a coordinate of the point at which the line (if P = Q, then the tangent line) that crosses P and Q meets a elliptic curved line, the coordinates of P + Q become (x 3 , −y 3 ). Here, operation kP = P+P+P+. . .+P (k times) is referred to as the scalar point multiplication in the group G.
When G is a cyclic additive group of order q and G T is a cyclic multiplicative group of the same order q (where q is a large prime), the bilinear mapê : G × G → G T satisfies the following properties [33]: (1) Bilinearity:ê (aP, bQ) =ê (P, Q) ab , where P, Q∈G and a, b∈Z * q . (2) Non-degeneracy:ê (P, Q) =1 G T .
(3) Computability: There exists an efficient algorithm to computeê (P, Q) for some P, Q∈G.
The advantage of using ECC is that it is computationally very difficult to infer abP when P, aP and bP (computational Diffie-Hellman) are given. Furthermore, the advantage of using bilinear pairing is thatê (P, P) ab is exceedingly difficult to infer when P, aP, bP (bilinear Diffie-Hellman) are given [33]. Notably, PairHand [10] uses the aforementioned properties to validate the handover request messages. It also reduces the number of handshakes between AP and MN over previous studies requiring at least three rounds of handshake [5]- [7]. These advantages have led to PairHand attracting the attention of researchers [13]- [24].

B. ERROR PROBABILITY FOR A TRANSMITTED MESSAGE
In data transmission, a bit error ratio (BER) p e represents the probability of receiving an erroneous bit. A packet error ratio (PER) p p represents the probability of receiving an erroneous packet. When the length of one packet is m bits, p p is determined by p e as shown in (1). (1)

C. REVIEW OF PairHand
Previously proposed handover protocols were implemented using chameleon hashing [5], symmetric encryption [8], or simple hash function [9]. Additionally, even if ECC is used, at least a three-way handshake is required [6], [7]. However, PairHand, which was proposed by He et al. [10], requires only a two-way handshake between MN and AP for mutual authentication and key establishment [23]. In this section, we will review the three phases of PairHand. Thus, we will be able to understand how PairHand could reduce the number of handshakes.
In the initialization phase, the AS chooses s∈Z * q as a master key and calculates P of G and P pub = sP. Afterwards, it chooses a map-to-point hash H 1 and a cryptographic hash H 2 , where H 1 : {0, 1} * →G and H 2 : {0, 1} * →Z * q . Then, the AS broadcasts the public system parameters params = G, G T , q, P, P pub , H 1 , H 2 to the MWN and stores s securely.
In the registration phase, an AP that received the system parameters from the AS sends its own identity ID AP to AS via a secure channel. Then after checking its validity, the AS calculates (H 1 (ID AP ) , sH 1 (ID AP )) and sends it to the AP to complete the registration procedure. Likewise, an MN sends its own real identity ID i to the AS via a secure channel. After verifying the validity of the MN, the AS creates the pseudo-ID and secret key pair, PID = pid j , sH 1 pid j (j = 1, 2, 3, . . .) and sends it to the MN to complete the registration procedure. After the registration procedure is completed, the AS does not participate in handover authentication, and therefore, the burden of AS is dramatically reduced.
In the handover authentication phase, as shown in Fig. 2, MN i selects the pid i , sH 1 pid i pair that was not used and calculates and ts is a timestamp. Subsequently, it sends a handover request message M i , σ i to an AP and calculates its own symmetric key K i−A = e sH 1 pid i , H 1 (ID AP ) . After receiving a request message from MN i, the AP checks a freshness of ts. Then, the AP calculates If two pairing results match, a symmetric key of AP K A−i = e H 1 pid i , sH 1 (ID AP ) is calculated; otherwise, authentication is rejected. Next, after calculating an authentication message Aut = H 2 K A−i ||pid i ||sH 1 (ID AP ) , the pid i , ID AP , and Aut are sent to MN i. Since the message contains symmetric key information, additional handshake for symmetric key exchange [5], [9] is not required for AP and MN.
After receiving the authentication message from the AP, MN i calculates a verification message Ver = H 2 K i−A ||pid i ||ID AP using the symmetric key K i−A that it owns and checks a validity of the authentication message by verifying whether Aut and Ver are identical. Consequently, PairHand does not need to send or verify certificates as it does in traditional public key cryptography systems.

D. BATCH VERIFICATION OF PairHand
In the MWN environment shown in Fig. 1, a number of handover request messages are transmitted to one AP. To efficiently process these, the protocol by He et al. [10] provides a batch authentication. It is possible to verify the handover request messages that were received from n MNs Table 1 summarizes whether the protocol employs the ECC and supports batch verification. Batch verification can dramatically reduce the computational cost, so it can be widely used for practical handover authentication protocols.
As described in section II.C, PairHand [10] efficiently minimizes the number of handshakes, reduces the burden of AS and AP, and does not require the transmission of certificates. This protocol also offers an adequate level of security, in addition to providing efficient batch verification. These are the advantages of PairHand that we focus on, and we will analyze its performance in section III. In section IV, we will evaluate the additional batch verification protocols developed by He et al. [17], Wang and Hu [18], Islam and Khan [4] and Wang et al. [20], which are known to be excellent among the protocols listed in Table 1.

III. ANALYSIS OF VERIFICATION DELAY
In this section, we analyze the performance of the protocol proposed by He et al. [10]. In Section IV, we classify various handover authentication protocols into pairing-based protocols and pairing-free protocols and evaluate and compare communication and computation costs. Table 2 lists the average processing time and notation of super singular elliptic curve and non-super singular elliptic curve protocols described in Sections III and IV. The pairing-based protocols [10], [17], [18] all use a super singular elliptic curve, whereas the pairing-free protocols [4], [20] all use a non-super singular elliptic curve. The operations that pairingbased protocols typically use include scalar point multiplication T G sm , point addition T G pa , map-to-point hash function in G T G M 2P , bilinear pairing T G bp , and cryptographic hash T h . On the other hand, pairing-free protocols do not use bilinear VOLUME 8, 2020  pairing and map-to-point hash function inḠ, therefore; only scalar point multiplication TḠ sm and point addition TḠ pa operations are described. The super singular elliptic curve E F p is defined on the finite field F p and is implemented by using the Tate pairing [34] defined on G. The group G with order q is a point on E F p , and both p and q are prime numbers with 512 and 160 bits, respectively. The non-super singular elliptic curveĒ Fp is defined on the finite field Fp and the groupḠ with orderq is also a point onĒ Fp . Bothp andq are prime numbers of 160 bits. Each processing time listed in Table 2 represents the average time required for performing each operation 10,000 times. Simple operations except the hash and elliptic curve operations are skipped. In addition, an operation time of the MN is not described because it is irrelevant to the verification time of the AP. MIR-ACL [35] lib with i5-4690, Ubuntu-16.04 32-bit is used for measurement.

A. ANALYSIS OF VERIFICATION DELAYS ASSUMING NO ERRORS
An individual verification indicates a method to individually verify the n request messages in an AP. A batch verification refers to a method to process the n request messages at once. In the case of individually verifying n messages with the protocol of He et al. [10], the individual verification delay d ind is expressed as shown in (2).
In batch verification, the 2n bilinear pairing operations in individual verification are replaced by 2n point addition operations and 2 bilinear pairing operations, resulting in a batch verification delay d bat expressed as shown in (3).
If there is an error in a message sent by multiple MNs in Fig. 1, the signature check will fail and consequently the whole message verification will fail. Failure in verification, in turn, causes a rejection of authentications without performing a calculation of the symmetric key K A−i and authentication message Aut. Thus, the computation times for symmetric key and authentication message are not affected by errors. Accordingly, (2) and (3) can be expressed as (4) by grouping into a signature check term that is affected by errors and a key computation term that is not affected by errors. In (4), d ind−chk and d bat−chk denote the delays required for signature check and d key denotes a delay for calculating K A−i and Aut.
Based on (2)-(4), individual verifications and a batch verification require 1.5954 s and 0.9159 s, respectively, to process 100 messages.

B. ANALYSIS OF VERIFICATION DELAY CONSIDERING ERRORS
If a request message contains errors, individual verification can reject only the messages with errors because individual verification inspects each message individually, whereas even one bit error in a batch verification causes a verification failure of the entire batch of messages. Therefore, the messages have to be requested again to all MNs or individual verifications must be performed again to seek the message containing errors. A message re-transmission request to all MNs incurs a computation cost as well as a communication cost, thus it is not appropriate because of a longer delay and a burden to the MN. In this regard, when a failure occurs in a batch verification due to errors, it is relevant to check the messages for errors using individual verification and to reject only the message(s) containing errors. When a batch verification fails due to errors, a delay d bat−fail is represented as (5).
To calculate the computation cost caused by an error during the verification process, a probability of error occurrence in a request message must be calculated. If the length of a request message is m bits and the probability of error occurrence in each bit is p e (p e is independent), the probability P E that an error occurs in one or more bits within the n request messages can be expressed as (6). In (6), an increase in p e leads to an increase in P E .
, the expectation of verification delay according to P E , is expressed as (7). In (7) Fig. 3 depicts the verification delay according to bit error probability when the protocol proposed by He et al. [10] is used to process 100 handover request messages in one AP. A dashed line and a solid line indicate an individual verification delay and a batch verification delay, respectively. Let us now find P E where the solid line meets the dashed line. Equation (8) Equation (9) is a representation of p e after substituting (6) for P E in (8).
Here, if we set p e in (9) to the bit error probability p x at intersection of individual and batch verifications, we see that when p e is less than p x , the batch verification is efficient because the batch verification delay is less than the individual verification delay. On the other hand, when p e is greater than p x , a batch verification is less efficient than individual verification. Lower p x in a batch verification implies the protocol is more sensitive to errors. Therefore, in (9), as d bat−chk /d ind−chk increases the protocol becomes more sensitive to errors. Likewise, as the length of the request message m and the number of MNs n participating in verification increase, the protocol becomes more sensitive to errors.
Here, since m and n are directly associated with communication cost, this can be stated in another way: as the communication cost increases, the protocol becomes more sensitive to errors. This will be proved in Section IV through analysis of each protocol.

IV. EVALUATION AND COMPARISON OF PROTOCOLS
In this section, we calculate the computation costs of various protocols previously proposed. Moreover, the bit error VOLUME 8, 2020  probability p x at intersection is derived by comparing the computation costs and the verification delays according to the bit error probability using a graph. By doing this, it is possible to verify which protocol is more sensitive to errors. Fig. 4 depicts the handover authentication phases of each protocol. From this, we can infer the lengths of request messages transmitted via wireless channels and the operations required for verification in an AP. The protocols of He et al. [17] and Wang and Hu [18] have a higher communication cost than the protocol of He et al. [10]. Because the protocols of Islam and Khan [4] and Wang et al. [20] use non-super singular elliptic curves, the communication cost is low and the verification is fast. The protocol of Wang et al. [20] exchanges the parameters required for key computation in the initialization phase, and after the verification succeeds, the symmetric key is calculated immediately without sending an authentication message from the AP to the MN.

B. EVALUATION OF COMMUNICATION AND COMPUTATION COST
According to analysis results in Section III, the batch verification delay increases if an error occurs in the message that the AP receives from the MN. On the other hand, if an error occurs in the message that the AP sent to the MN, the batch verification delay of the AP does not increase because the MN must perform the verification process all over again from the beginning. Therefore, it is necessary to classify the communication cost into two parts: the cost that the AP receives from the MN and the cost that the AP sends to the MN. To analyze the communication cost, the length of each parameter must be identified. The lengths of p,p, q, andq, parameters that are used in each protocol, are 512, 160, 160, and 160 bits, respectively. Accordingly, the lengths of G,Ḡ, and Z * q are 1024, 320, and 160 bits, respectively. Pseudo-ID pid i of the MN, ID ID AP of the AP, and timestamp ts are each 4 bytes. In addition, the results of the cryptographic hash function and the map-to-point in G function are 160 bits and 1024 bits, respectively. Based on the description thus far, Table 3 summarizes the communication cost calculation when an AP sends or receives messages.
In the protocol of He et al. [10] that uses a super singular elliptic curve, a request message consists of pid i , ID AP , ts, and σ i . Since the length of pid i , ID AP , and ts is 32 bits each, and σ i is 1024 bits, the length of a message that the AP receives, as presented in Table 3, becomes 1,120 bits. Since the request messages of He et al. [17] and Wang and Hu [18] are longer than those of He et al. [10] by a random point R i , the message length that the AP receives is 2,144 bits. In the protocol of Islam and Khan [4] that uses a non-super singular elliptic curve, a request message consists of pid i , ID AP , ts, Y i , R i , and σ i . Since the lengths of pid i , ID AP , ts, Y i , R i , and σ i are 32, 32, 32, 320, 320, 160 bits, respectively, the length of a message that the AP receives becomes 896 bits. Finally, the protocol of Wang et al. [20] with a request message consists of L i , pid i , ID AP , ts, b i , R i , and A i . Since the lengths of L i , pid i , ID AP , ts, b i , R i , and A i are 320, 32, 32, 32, 160, 320, 320 bits, respectively, the length of a message that the AP receives becomes 1,216 bits.
The protocols of He et al. [10], Wang and Lu [18], and He et al. [17] all transmit pid i , ID AP , and authentication message Aut to the MN after a successful verification, so the length of the message that the AP sends becomes 224 bits. The protocol of Islam and Khan [4] transmits pid i , ID AP , R AP , and Aut to the MN after a successful verification, so the length of the message that the AP sends becomes 544 bits. The protocol of Chaudhry et al. [21] is capable of performing key computation of the AP and the MN without a reply from the AP and the length of the message that the AP transmits is 0, accordingly. Table 4 presents the delays under the assumption that each protocol performs individual verifications for messages sent from 100 MNs using the processing times listed in Table 2. In the case of He et al. [10]'s protocol depicted in Fig. 2   T G bp + T h to calculate one key. If the protocol individually verifies n messages, the verification delay can be expressed as n T G sm + T G M 2P + 2T G bp + T h + n T G bp + T h . Since He et al. [17]'s protocol depicted in Fig. 4(a) requires one more bilinear pairing operation than He et al. [10]'s protocol, it needs T G sm + T G M 2P + 3T G bp + T h to check one message and T G bp + T h to calculate one key. If the protocol individually verifies n messages, the verification delay can be expressed as n T G sm + T G M 2P + 3T G bp + T h + n T G bp + T h . Since Wang and Hu [18]'s protocol depicted in Fig. 4(b) requires one more point addition operation than He et al. [10]'s protocol, it needs T G sm + T G pa + T G M 2P + 2T G bp + T h to check one message and T G bp + T h to calculate one key. If the protocol individually verifies n messages, the verification delay can be expressed as Fig. 4(c), 2T h is required in the calculation of z i and h i , TḠ sm is required in the calculation of σ i · P, and 2TḠ sm + 2TḠ pa is required in the calculation of Y i + z i R i + h i · P pub . Furthermore, 2TḠ sm + TḠ pa is required in the calculation of K A−i and 2T h in the calculation of Aut and sk. Consequently, Islam and Khan [4]'s protocol needs 3TḠ sm + 2TḠ pa + 2T h to check one message and 2TḠ sm + TḠ pa + 2T h to calculate one key. If the protocol individually verifies n messages, the verification delay can be expressed as n 3TḠ sm + 2TḠ pa + 2T h + n 2TḠ sm + TḠ pa + 2T h . Regarding Wang et al. [20]'s protocol depicted in Fig. 4(d), 2T h is required in the calculation of c i and d i , TḠ sm + TḠ pa in the calculation of b i P − A i , 2TḠ sm + TḠ pa in the calculation of c i d i P pub + d i · R i , and TḠ sm + T h in the calculation of K A−i . Consequently, Wang et al. [20]'s protocol needs 3TḠ sm + 2TḠ pa + 2T h to check one message and TḠ sm + T h to calculate one key. If the protocol individually verifies n messages, the verification delay can be expressed as n 3TḠ sm + 2TḠ pa + 2T h + n TḠ sm + T h . Table 5 presents the parameters related to batch verification delay. We consider only the signature checking time because the key computation time is similar to that in the case of individual verification. In He et al. [10]'s protocol depicted in Fig. 2

Regarding Islam and Khan [4]'s protocol depicted in
to batch verify n messages. Since He et al. [17]'s protocol in Fig. 4(a) requires n more point addition operations n × T G pa and one more bilinear pairing operation T G bp than He et al. [10]'s protocol, it needs n × T G sm + 3T G pa + T G M 2P + T h + 3T G bp to batch verify n messages. Since Wang and Hu [18]'s protocol depicted in Fig. 4(b) requires n more point addition operations for e n i=1 . . . + R i , . . . than He et al. [10]'s protocol, n × T G sm + 3T G pa + T G M 2P + T h + 2T G bp is required to check n messages.
For the protocol of Islam and Khan [4] depicted in Fig. 4(c), n×TḠ pa +TḠ sm is required in the calculation of n i=1 σ i ·P, and 94120 VOLUME 8, 2020 n × TḠ pa + n × TḠ sm + TḠ pa + n × TḠ pa + TḠ sm + 2TḠ pa is required in the calculation of n i=1 Y i + n i=1 z i R i + n i=1 z i h i ·P pub . The calculation of z i and h i is the same as that in the case of individual verification. Consequently, Islam and Khan [4]'s protocol needs n × TḠ sm + 4TḠ pa + 2T h + 2TḠ sm + 2TḠ pa to batch verify n messages. Regarding Wang et al. [20]'s protocol shown in Fig. 4(d), n×TḠ pa +TḠ sm is required in the calculation of n i=1 b i ·P, and n×TḠ pa +TḠ sm +n× TḠ sm + 2TḠ pa + TḠ pa in the calculation of The calculation of c i and d i is the same as that in the case of individual verification. Consequently, Wang et al. [20]'s protocol needs n× TḠ sm + 4TḠ pa + 2T h +2TḠ sm +TḠ pa to batch verify n messages. The batch verification delay between the protocols of Islam and Khan [4] and Wang et al. [20] has only a difference of TḠ pa , which is insignificant compared to operations such as TḠ sm and T G M 2P . In Table 5, p x was derived using (9). When the protocols of He et al. [17] and Wang et al. [20], which have similar d bat−chk /d ind−chk , are compared, the protocol of Wang et al. [20], which has a lower communication cost, shows a larger p x . Likewise, when the protocols of He et al. [10] and Wang and Hu [18], which have similar d bat−chk /d ind−chk , are compared, the protocol of He et al. [10], which has a lower communication cost, shows a larger p x . When the protocols of He et al. [17] and Wang and Hu [18], which both have the same communication costs, are compared, the protocol of He et al. [17], which has a lower d bat−chk /d ind−chk , shows a larger p x . Consequently, as described in Section III, the greater the d bat−chk /d ind−chk and the greater the communication cost, the more sensitive the protocol is to errors. Fig. 5 is a graph that represents the expectation E [d] of verification delay according to a bit error probability p e by applying the results of Table 4 and Table 5 as well as (7). As previously described in Section III.A, because an individual verification is not affected by errors, no change in delay is observed even if p e increases. On the other hand, batch verification delay increases as p e increases. In Fig. 5, p x indicates the intersection of individual verification delay and batch verification delay of each protocol. As shown in Table 5. The protocol of Wang and Hu [18] with a small p x shows a sharply increased tendency in batch verification delay with increasing p e . This implies that the protocol is more sensitive to errors as described in Section III.B. On the contrary, the protocols of Islam and Khan [4] and Wang et al. [20], which have higher p x , show a relatively gradual increase in batch verification delay as p e increases. This implies that these protocols are less sensitive to errors.

V. MINI-BATCH VERIFICATION TO MITIGATE THE IMPACT OF ERRORS
In this section, we propose a method to reduce the delay of batch verification. In Section III, we showed that batch verification fails when an error of one bit or more occurs among several handover request messages. Therefore, by reducing the number of handover request messages that are simultaneously processed in the batch verification phase, the impact of errors can be reduced. We therefore propose a method to verify handover request messages by dividing them into several mini-batches rather than verifying them all at once. If 100 handover request messages are assumed to be processed by one AP, these messages can divided into two minibatches, as shown in Fig. 6. The number of messages in a mini-batch should be 2 or more.
If we denote each verification delay as d k−mb when n handover messages are divided into k mini-batches, d k−mb can be expressed as (10). In (10), d bat−chk (n/k) refers to the delay required for signature check while verifying n/k handover request messages, and d key (n) refers to the delay required for calculating n keys.
The term 2 (k − 1) × T G bp in (10) represents the additional overhead due to mini-batch verification compared to (4).
, which is the expectation of a mini-batch verification delay, is expressed as (11). In (11), P E (n/k) indicates the probability of an error occurring in one or more bits within n/k request messages.
The verification delays when the protocols analyzed in section IV were applied to mini-batch verification, are summarized in Table 6. Fig. 7 depicts the expectation of minibatch verification delay when k = 1, 2, 5, 10, 25, 50, which are based on the expectation values presented in Table 6. Two characteristics are observed to be common among the five graphs depicted in Fig. 7. First, if the bit error probability is exceedingly small (close to zero), or very large (greater than 10 −3 ), the performance of mini-batch verification is worse as compared to that of batch verification. This is due to the additional overhead 2 (k − 1)×T G bp of mini-batch verification in (11). However, when the bit error probability is a mid-range value, the delays of some mini-batch verifications are found to be smaller than those of batch verifications. It is interpreted that P E [n/k] in (11) is always smaller than P E in (7), and the difference is maximized when the bit error probability is a mid-range value, and consequently, the mini-batch overhead is offset. VOLUME 8, 2020  Second, the number of mini-batches is not always proportional to the performance of the verification method. Depending on the bit error probability, the k value of the mini-batch that minimizes the expected verification delay varies. This is due to the two terms, d ind−chk (n) × P E [n/k] and 2 (k − 1) × T G bp , given in (11). Notably, d ind−chk (n) × P E [n/k] decreases as k increases. On the contrary, 2 (k − 1) × T G bp increases as k increases. If k is too large, the delay becomes worse because the decrease due to d ind−chk (n) × P E [n/k] is offset by the increase due to 2 (k − 1) × T G bp . That is, it is necessary to find the optimal value of k that can minimize (11). Consider the following equation: , k = 1, 2, . . . , n/2 (12) When mini-batch verification is used, messages can be verified with a delay smaller than that of individual verification over a wider range of bit error probability as  compared to using only batch verification. For example, in the case of the protocol of He et al. [10], the batch verification delay is smaller than the individual verification delay when the bit error probability is approximately 0.699 × 10 −5 or less, as shown in Fig. 5(a). However, in the case of minibatch, the interval of the bit error probability is enlarged. As shown in Fig. 7(a), the interval where the mini-batch verification delay is smaller than the individual verification delay ranges from zero to 0.731 × 10 −4 . In other words, the effective range of mini-batch verification compared to individual verification is roughly 10 times larger than that of a single batch. In general wireless communication, the bit error probability is measurable, and therefore, if only p e and the number of messages are given, the optimal value of k can be found using (12).

VI. CONCLUSION
This study analyzed the communication cost and computation cost of the handover authentication protocols that have been previously proposed. Previous studies analyzed only communication cost and computation cost of individual verification and did not account for errors in message transmission, whereas this study also analyzed the computation cost of a batch verification under the assumption of bit error probability p e in the handover request message. According to our analysis results, although the individual verification delay is not affected by errors, the batch verification delay increased with an increase in p e .
In particular, when the error probability is high, batch verification may show lower performance compared to individual verification. Moreover, this study derived the bit error probability p x at which the batch and individual verification delay graphs intersect. Lower p x means that the protocol is more sensitive to errors. In addition, when we implemented and compared the previously proposed protocols, we determined that the factors influencing p x include communication cost and the ratio d bat−chk /d ind−chk of the batch verification delay to the individual verification delay.
Finally, we proposed a method to mitigate the impact of errors. The method verifies n messages by dividing them into several mini-batches rather than a single batch. By applying this mini-batch verification to the protocols of He et al. [10], He et al. [17], Wang and Hu [18], Islam and Khan [4], and Wang et al. [20], we showed that our method can reduce the impact of errors in batch verification. However, mini-batch verification has additional overhead than batch verification, and the impact of additional overhead is significant when the bit error probability is extremely small, for example, less than approximately 10 −5 or exceedingly large, for example, greater than approximately 10 −4 . Therefore, mini-batch verification can be applied in a mobile wireless network environment in which the bit error rate is as low as 10 −4 or less. Furthermore, to perform mini-batch verification, it is necessary to find the optimal value of k according to the bit error rate.
In a real-world communication model such as VANET [36], messages sent over wireless communication generate more errors than theoretically calculated errors. A major contribution of this study is that it analyzed the error impact of the handover authentication protocol in a practical communication model and proposed a novel method to mitigate the impact of errors.
YOUNSOO PARK received the B.E. and M.E. degrees from the School of Electrical and Electronics Engineering, Chung-Ang University, Seoul, South Korea, in 2014 and 2016, respectively, where he is currently pursuing the Ph.D. degree in engineering. His research interests include computer networks, big data thinking education, computational thinking education, and elliptic curve cryptography (ECC).
HO-HYUN PARK received the B.S. degree from Seoul National University, in 1987, and the M.S. and Ph.D. degrees in computer science and engineering from KAIST, in 1995 and 2001, respectively. From 1987 to 2003, he was a Principal Engineer at Samsung Electronics. He is currently a Professor of electrical and electronics engineering with Chung-Ang University. His research interests include big data, deep learning, machine vision, information security, and real-time and embedded systems. VOLUME 8, 2020